Tokenization revocation list

ABSTRACT

A method for providing a token revocation list is disclosed. The method includes maintaining a status for each of a plurality of tokens in a token revocation database. Token validation requests are received, and the statuses of payment tokens can be determined. Response messages with the statuses of the payment tokens are then sent to token status requesters so that they may make decisions on whether or not to use them to process transactions.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a non-provisional application of and claims the benefit of the filing date of U.S. Provisional Patent Application No. 61/889,987, which was filed on Oct. 11, 2013, which is herein incorporated by reference in its entirety for all purposes.

BACKGROUND

In a tokenized payment transaction, a consumer provides a merchant with a token, which can represent an account that is associated with the consumer. In the case of credit and debit card transactions, the account may be issued and held by an issuer, which is typically a bank. The token may be a substitute account number that is associated with the real account number, but is not the real account number. Tokens can be limited in use and provide greater security for the payment transaction. If the token is obtained by an unauthorized person in a fraudulent manner, the real account number is not compromised.

While tokenized payment transactions are useful, a merchant that accepts a token may not be able to confirm that the token is valid. For example, a token may be expired, compromised, or invalid for a number of reasons. The merchant may be unaware that the payment token that is provided for payment is invalid until the token is submitted for authorization and authorization is subsequently denied. As a result, the merchant or issuer may incur unnecessary losses.

Another issue to be addressed is that there are many different parties in the payment ecosystem that can generate and/or transform tokens. Thus, it may be the case that entities including merchants, issuers, payment processors, third parties and the like might issue payment tokens and/or further tokenize or transform payment tokens. Because tokens are inherently unrecognizable substitutes for account numbers, it is difficult if not impossible for the party holding the payment token to determine which entity issued the token and check on its status. Further, even if the possessor of the token could determine the entities that actually issued the payment tokens that it received, it would be frustrating and difficult for the possessor to check with multiple entities as to the validity of the tokens that it receives. As noted above, tokens may be generated by issuers, payment processors, and even merchants.

Embodiments of the present invention solve these problems and other problems, individually and collectively.

SUMMARY

Embodiments of the invention are directed to methods and systems for validating payment tokens using a tokenization revocation list. The token revocation list may be in a token revocation list computer system, which may include the token statuses of tokens generated by different entities. Since the token revocation list computer system can consolidate the payment tokens generated by multiple different entities, the token revocation list may serve as a single communication point for a token status requester to check on the status of a payment token, regardless of which entity actually generated the payment token.

One embodiment of the invention is directed to a method. The method comprising maintaining, by a token revocation list computer system, a status for each of a plurality of tokens issued by the server computer in a token revocation database, and then receiving, by the token revocation list computer system, a token validation request from a requester device. The token validation request includes at least one payment token of the plurality of tokens. The method further comprises determining, by the token revocation list computer system, the status of the at least one payment token of the plurality of tokens by searching the token revocation database for the status of the at least one of the plurality of tokens. After the status is determined, the token revocation list computer system sends a token validation response including the determined status of the at least one payment token of the plurality of tokens.

Another embodiment of the invention is directed to a token revocation list computer system comprising a token status list database and a token status list computer comprising a processor, and a computer readable medium coupled to the processor. The computer readable medium comprises code, executable by the processor, to implement a method. The method comprises maintaining a status for each of a plurality of tokens issued by the server computer in a token revocation database, and receiving a token validation request from a requester. The token validation request includes at least one payment token of the plurality of tokens. The method also comprises determining the status of the at least one of the plurality of tokens by searching the token revocation database for the status of the at least one payment token of the plurality of tokens, and sending a token validation response including the determined status of the at least one payment token of the plurality of tokens.

Another embodiment of the invention is directed to a token validation system. The token validation system comprises a requester device and a token revocation list computer system in communication with the requester device. The token revocation list computer system comprises (a) a token status list database and (b) a token status list computer. The token status list computer comprises a processor and a computer readable medium coupled to the processor. The computer readable medium comprises code executable by the processor to implement a method comprising (i) maintaining a status for each of a plurality of tokens issued by the server computer in a token revocation database, (ii) receiving a token validation request from a requester, wherein the token validation request includes at least one payment token of the plurality of tokens, (iii) determining the status of the at least one of the plurality of tokens by searching the token revocation database for the status of the at least one payment token of the plurality of tokens, and (iv) sending a token validation response including the determined status of the at least one payment token of the plurality of tokens.

These and other embodiments are described in further detail below with reference to the Drawings and the Detailed Description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a portion of a token validation system according to an exemplary embodiment of the present invention.

FIG. 2 shows another portion of the token validation system according to an embodiment of the present invention.

FIG. 3 shows a block diagram of a token revocation list computer system according to an embodiment of the present invention.

FIG. 4 shows a diagram of an exemplary token provider system according to an embodiment of the invention.

FIG. 5 shows a block diagram of a computer system according to an embodiment of the invention.

DETAILED DESCRIPTION

Embodiments of the invention are directed to methods and systems for validating tokens using a tokenization revocation list (TRL) responder, which may alternatively be referred to as a tokenization revocation list (TRL) computer system.

A “token” may include an identifier for a payment account that is a substitute for an account identifier, such as a primary account number (PAN). For example, a token may include a series of alphanumeric characters that may be used as a substitute for an original account identifier (e.g., a pseudo account number). For example, a token “4900 0000 0000 0001” may be used in place of a PAN “4147 0900 0000 1234.” In some embodiments, a token may be “format preserving” and may have a numeric format that conforms to the account identifiers used in existing payment processing networks (e.g., ISO 8583 financial transaction message format). In some embodiments, a token may be used in place of a PAN to initiate, authorize, settle or resolve a payment transaction or represent the original credential in other systems where the original credential would typically be provided. In some embodiments, a token value may be generated such that the recovery of the original PAN or other account identifier from the token value may not be computationally derived. Further, in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token.

As noted above, in a tokenized payment transaction, a consumer may provide a payment token to a merchant instead of a real account number. The merchant processes the payment token like a credit or debit card number to obtain payment for a good or service from the consumer's account. However, these transactions can be insecure, because the token may have expired, been compromised, or rendered invalid for other reasons. If the merchant waits until a later time to authorize the transaction, the merchant may not discover that a token is invalid until authorization is denied.

It would be desirable to provide for a trusted entity such as a TRL computer system, which can verify the validity of a payment token. For example, a POS terminal at a merchant can tokenize a PAN (primary account number) to produce an initial payment token. Any upstream consumers can further tokenize the initial token to produce a subsequent payment token. This process can remove the trust chain and can make the application of value added services like risk and fraud identification difficult. Further, in the case where there is a flagged risk, there is no current method to determine if a payment token is no longer valid as a payment instrument. However, embodiments of the present invention may validate a payment token by requesting validation from an entity with access to a tokenization revocation list (TRL) computer system. The TRL computer system may provide information regarding whether one or more payment tokens have been revoked or are otherwise in poor standing with any entity in the transaction system.

Illustratively, in one embodiment of the invention, a consumer may purchase goods or services from a merchant and may provide a payment token to the merchant. If the merchant suspects that the token may not be valid for some reason, the merchant can send a token validation request to a TRL computer system. The token validation request may be transmitted from the merchant to the TRL computer system through a communications network that may be insecure. To provide security for the token validation request, the token validation request may comprise information identifying the requesting merchant such as a requester name, hashed information such as a hash of the TRL computer system name, and a hash of a public key, the payment token from the consumer, and a nonce. A hashing algorithm identifier (e.g., SHA-2 or SHA-3 identifier) may also be present in the token validation request, so that the TRL computer system knows which hashing algorithm to use to generate the hashed information. The TRL computer system may maintain a token database that indicates the revocation status of payment tokens issued to various token issuers. The TRL computer system may then locate a record of the payment token in the token validation request and may confirm that it is valid (or not valid).

After determining the validity of the payment token in the token validation request, the TRL computer system may then generate a token validation response to be transmitted from the TRL computer system to the merchant. The token validation response may comprise a response status indicating whether or not the token validation request was accepted, a responder ID such as the TRL computer system public key, a timestamp, the nonce, the hashed information, the payment token, and a TRL status code. The TRL status code may inform the merchant as to whether or not the payment token is valid or not valid. The merchant may then receive the token validation response, accept the payment token if it is valid, and complete the payment transaction with the consumer.

In some embodiments of the invention, the payment token can be used like an ordinary credit or debit card number. For example, an access device (e.g., a POS terminal or merchant Web server) at the merchant may generate an authorization request message. The authorization request message may be transmitted to an acquirer computer operated by an acquirer associated with the merchant. The acquirer computer may then transmit the authorization request message comprising the payment token to a payment processing network, which may have access to a token provider system which issued the payment token.

A payment processing network may include data processing subsystems, networks, and operations used to support and deliver authorization services, exception file services, and clearing and settlement services. An exemplary payment processing network may include VisaNet™. Payment processing networks such as VisaNet™ are able to process credit card transactions, debit card transactions, and other types of commercial transactions. VisaNet™, in particular includes a Visa Integrated Payments (VIP) system which processes authorization requests and a Base II system which performs clearing and settlement services. Furthermore, the payment processing network may include a server computer and may use any suitable wired or wireless telecommunications network, including the Internet.

After the token provider system receives the payment token, the token provider system may then provide the real account number associated with the payment token. A computer in the payment processing network can then generate a modified authorization request message with the real account number and can send the real account number to an issuer computer for authorization.

The issuer computer may then approve or disapprove of the transaction, and may then generate an authorization response message. The authorization response message comprises the real account number and is transmitted to the payment processing network. The computer in the payment processing network may then generate a modified authorization response message comprising the payment token and may transmit this back to the access device via the acquirer computer.

At the end of the day, a clearing and settlement process using the token and the real account number may take place between the acquirer computer, the payment processing network, and the issuer computer. The payment processing network may substitute the payment token for the real account number in the clearing messages, similar to the authorization request messages described above.

The token validation method and system according to embodiments of the invention can provide merchants with greater assurance that their transactions will be processed without interruption. For example, using embodiments of the invention, merchants can decide not to use payment tokens that have not been properly validated. Higher assurance can also be provided for tokens that are generated or stored on mobile devices. Furthermore, using embodiments of the invention, merchants are encouraged to accept tokens and merchants do not have to store sensitive consumer account information. Payments are also more secure for consumers, since payment tokens are more widely accepted and trusted using embodiments of the invention.

Embodiments of the invention providing the further advantage of safeguarding token status information from unauthorized entities. In some cases, fraudsters may illicitly obtain consumers' payment tokens. However, the fraudsters may not know if the payment tokens are valid and usable to conduct transactions. Embodiments of the invention can provide a token validation method that securely validates the identity of a token status requestor. Thus, embodiments can protect against unauthorized entities determining the status of a token.

Therefore, embodiments of the invention improve transaction security for merchants, issuers, payment processors, and consumers. Payment token fraud and risk are reduced when the parties that use or process the payment tokens can be made aware of their validity status.

I. Exemplary Systems

FIG. 1 shows a portion of a token validation system 100 according to an embodiment of the present invention. The token validation system 100 may comprise a first entity device 110 operated by a first entity 111 (e.g., a first merchant A), a second entity device 120 operated by a second entity 121 (e.g., a second merchant B), and a TRL computer system 130. The first entity device 110 may be in communication with the second entity device 120. The first entity device 110 and the second entity device 120 may alternatively be referred to as first and second requester devices, and may be in communication with the TRL computer system 130 via a communications network 140.

The TRL computer system 130 may include a server computer coupled to a token database with information about flagged, revoked, or otherwise invalid payment tokens. In some embodiments, the TRL computer system 130 may also be a token issuer. Further details regarding an exemplary TRL computer system 130 are provided below with reference to FIG. 3.

The communications network 140 may be any one and/or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); a secured custom connection; a Wide Area Network (WAN); a wireless network (e.g., employing protocols such as, but not limited to a Wireless Application Protocol (WAP), I-mode, and/or the like); and/or the like. The communications network 140 may be insecure, and as described herein, various specific communication protocols are provided to ensure that the transmission of token validation requests and responses are secure.

In embodiments of the invention, the second entity 121, which operates the second entity device 120, may enroll in a token validation program. To enroll, the second entity 121 can provide a requester name to the TRL computer system 130 so that the TRL computer system 130 may identify the second entity 121. The TRL computer system 130 may provide information (e.g., hashing algorithms, a TRL responder name or other identifier, a public key, etc.) that will enable secure communication with the second entity 121.

In embodiments of the invention, the TRL computer system 130 may receive and manage information about the status of one more tokens. The TRL computer system 130 may maintain a TRL containing records of the status of tokens. The TRL may compile information that is provided by one or more token issuers and processors such as banks (e.g. issuers, acquirers), payment processors (e.g. Visa™, American Express™), merchants, consumers, or any other entity capable of issuing or processing tokens. The first entity device 110 operated by the first entity 111 may receive tokens from a token issuer (e.g., either of the first or second token provider systems 160, 170 in FIG. 2), and the TRL computer system 130 may also receive information about these tokens from the token issuer. In embodiments where the TRL computer system 130 is a token issuer, the token information may be stored in the tokenization revocation list when a token is issued. In any case, the TRL computer system 130 may be able to anticipate any token that may be submitted by the first entity device 110 operated by first entity 111 and maintain a comprehensive list of existing and possible tokens.

In some embodiments, the first entity 111 operating the first entity device 110 may also enroll with TRL computer system 130. The TRL computer system 130 may be operated by a token issuer and may provide the first entity device 110 operated by the first merchant with a set of tokens or a token generating algorithm for use in transactions. In this scenario, TRL computer system 130 may update the TRL with records of tokens generated by TRL computer system 130. Alternatively, the first entity device 110 operated by the first entity 111 may be a first merchant and a token issuer. The first entity 111 may issue or generate tokens that it will use for payments, such as payments to the second entity 121, which may be a merchant. In this case, the first entity 111 may enroll with the TRL computer system 130 so that the first entity 111 may inform the TRL computer system 130 of a token generation algorithm or a set of tokens that may be used by the first entity 111. Therefore, TRL computer system 130 may be able to update the TRL with information about tokens that may be used by the first entity 111.

In an exemplary illustration, the first entity 111 may be a first merchant that wishes to purchase goods and/or services from the second entity 121, which may be a second merchant. For example, first entity 111 may be a first merchant that may sell products made by the second entity 121, which may be a second merchant. Alternatively, the first entity 111 may be a typical consumer and not a merchant. For example, the first entity 111 may be an end consumer purchasing a final product made or sold by the second entity 121. In this scenario, the first entity 111 may be a consumer that is capable of making payments with tokens. The first entity 111 may receive tokens on a portable consumer device (e.g., a smart card, a mobile phone, a key fob) from a token issuer, and provide a token at a POS device during a transaction with the second entity 121.

The first entity device 110 may be in any suitable form in including, but not limited to a mobile phone, an access device, a standalone or mobile computer, a smart card, etc. In some embodiments, the first entity device 110 may be capable of generating or receiving payment tokens. It may include a token generating algorithm, and/or may receive payment tokens from a token issuer. In some embodiments, the TRL computer system 130 may be a token issuer that provides the first entity device 110 with payment tokens.

The second entity 121 may be a merchant that receives a transaction request and a payment token from the first entity 111. The second entity 121 may operate a second entity device 120, which may have the same or different form as the first entity device 110. The second entity 121 may be an acquirer bank associated with a merchant, a merchant, a consumer, or any other suitable entity. In some embodiments, the second merchant 121 may authorize the payment token immediately, before releasing goods to the first entity 111. In one illustration, the second entity 121 may submit all payment tokens in bulk at the end of the day. The second entity 121 may also be capable to generate a token validation request message, also referred to as a TRL request, and to send the token validation request message to the TRL computer system 130.

The TRL computer system 130 may include a server computer associated with a token issuer and/or a payment processing network. Alternatively, the TRL computer system 130 may be de-centralized and associated with a third party.

FIG. 3 shows a block diagram of some components of a TRL computer system 130 according to an embodiment of the invention. It includes a token status list computer 130A, which may include a processor 130A-1, a computer readable medium 130A-2, and a network interface 130A-3. The token status list computer 130A may be coupled to a token status list database 130B, which may include token data 130B-1.

The processor 130A-1 may include a CPU that comprises at least one high-speed data processor adequate to execute program components for executing user and/or system-generated requests. The CPU may be a microprocessor such as AMD's Athlon, Duron and/or Opteron; IBM and/or Motorola's PowerPC; IBM's and Sony's Cell processor; Intel's Celeron, Itanium, Pentium, Xeon, and/or XScale; and/or the like processor(s).

The computer readable medium 130A-2 may comprise code, executable by the processor 130A-1, for implementing a method comprising maintaining a status for each of a plurality of tokens issued by the server computer in a token revocation database, receiving a token validation request from a requester, wherein the token validation request includes at least one payment token of the plurality of tokens, determining the status of the at least one of the plurality of tokens by searching the token revocation database for the status of the at least one payment token of the plurality of tokens, and sending a token validation response including the determined status of the at least one payment token of the plurality of tokens.

The TRL computer system 130 may maintain a list of tokens in the token database 1308, which may include the TRL. The TRL computer system 130 may communicate whether a token or a list of payment tokens have been revoked for various reasons.

Information about the various payment tokens in the token database 1308 may include a database key identifying a specific data item, a token ID which may be the payment token itself, a token status (e.g., valid, revoked, or on hold), and the provider of the payment token. This database 1308 preferably does not include real account numbers associated with the payment tokens that it stores, or any other sensitive PAI (payment account information). A payment token may be revoked because it has expired, or has been reported or flagged as being fraudulent or misused (e.g., exceeding a payment boundary such as when a $10 token is used to conduct a $100 transaction). A payment token may be on hold when the token is valid and the use is not otherwise improper, but the use is temporarily suspended (e.g., due to a credit limit being temporarily exceeded).

As noted above, the TRL computer system 130 may be operated by a token issuer capable of generating tokens and providing the tokens to the first entity device 110 operated by the first entity 111. Alternatively, TRL computer system 130 may provide a token generating algorithm to the first entity device 110, or receive information about a token generating algorithm from the first entity device 110. In any case, the TRL computer system 130 can anticipate the receipt of any payment token that may be submitted by the first entity device 110 and maintain a comprehensive list of existing and possible tokens.

The computer readable medium 130A-2 of the TRL computer system 130 may further include code for one or more hashing or encryption algorithms. The TRL computer system 130 may also be configured to receive a token validation request, look up one or more tokens from the request in the token database, determine the status of the one or more tokens, generate a token validation response message indicating the status of the one or more tokens, and send the response message to the requester. Further, TRL computer system 130 can also receive notifications of compromised tokens and update the token database accordingly. For example, the TRL computer system 130 may determine that all tokens issued by a specific merchant or bank are revoked because the merchant or bank's token database was hacked, leaked, or otherwise compromised.

The first entity device 110 and the second entity device 120 may be included in a typical credit or debit account or card transaction processing system. For example, the second entity 121 which operates the second entity device 120 may be a merchant with an associated acquirer. In some embodiments, an acquirer computer associated with second entity 121 may employ the above described roles of second entity 121 in a token validation system. Further TRL computer system 130 may be located at any part of a typical transaction ecosystem or de-centralized and associated with a third party. For example, TRL computer system 130 may be associated with a payment processing network. In some embodiments, the first entity device 110, the second entity device 120, and TRL computer system 130 may each comprise a server computer, or be operatively coupled to a server computer.

A server computer can be a powerful computer or a cluster of computers. For example, the server computer can be a large mainframe, a minicomputer cluster, or a group of servers functioning as a unit. In one example, the server computer may be a database server coupled to a Web server.

An acquirer computer can be associated with the second entity device 120 if it is a merchant computer. The acquirer computer may be communicatively coupled to the merchant computer and a payment processing network computer and may issue and manage a financial account for the merchant. In some embodiments, the acquirer computer may receive an authorization response message and may forward it to the merchant computer during a transaction to confirm processing of a payment transaction.

FIG. 2 shows another portion of the token validation system 100. FIG. 2 shows a first token provider system 160 and a second token provider system 170 communicating with the TRL computer system 130 via the communications network 140. The first and second token provider systems 160, 170 may be operated by any suitable entities that may generate and maintain payment tokens. Such entities may include payment processors, issuers, acquirers, merchants, etc.

Such information relating to tokens and the status of tokens may be passed between the first token provider system 160 and the TRL computer system 130 via the first communications path 60. Information relating to tokens and the status of tokens may be passed between the second token provider system 170 and the TRL computer system 130 via the second communications path 70. If either the first token provider system 160 or the second token provider system 170 has updates to the status of the tokens that it generated, then this information may be provided to the token revocation list computer system 130.

FIG. 4 shows a block diagram of some components of a token provider computer system 160. It includes a first token requester computer 160A, which may include a processor 160A-1 (which may include the same or different type of data processor as processor 130A-1 in FIG. 3), a computer readable medium 160A-2, and a network interface 160A-3. The token requester computer 160A may be coupled to a token vault database 1308, which may include token and account data 160B-1.

As shown in FIG. 4, the token vault database 1608 may include token and account data 160B-1. Token and account data 160B-1 may include an real account numbers, payment tokens associated with those real account numbers, token statuses for those real account numbers, and any details or notes regarding the statuses. Generally with the exception of sensitive information such as the real account numbers of consumers, any of the information in the token vault database 1608 may be shared with the TRL computer system 130. The information may be shared at any suitable time interval (e.g., daily, hourly, weekly, etc.).

II. Exemplary Methods

Exemplary methods according to embodiments of the invention may also be described with reference to FIGS. 1 and 2.

Before a transaction begins, between the first entity 111 and the second entity 112, the first entity 111 may select goods or services for purchase from the second entity 121. Additionally, before the transaction method shown in FIG. 1 begins, the TRL computer system 130 may build, manage, and/or maintain a status for each of a plurality of tokens issued by the various token provider systems including the first and second token provider systems 160, 170 shown in FIG. 2. Each of the first and second token provider systems 160, 170 may access the TRL computer system 130 by providing certain credentials (e.g., name, password, and device ID) which authenticate the first and second token provider systems 160, 170.

At step 10, using the first entity device 110, the first entity 111 may provide a payment token to the second entity device 120 to purchase goods and/or services from the second entity 121. The payment token may be used for a one time purchase or for recurring purchases. The payment token may be provided from the first entity device 110 to the second entity device 120 in any suitable manner. For example, the first entity device 110 may be a mobile phone that stores a payment token and this payment token may be transmitted to the second entity device 120 using any suitable contact based or contactless (e.g., RF) mode of transmission. In another example, the first entity device 110 may be a client computer and may direct a virtual wallet hosted by a wallet server to provide the payment token to the second entity device 120.

At step 20, the second entity 121 may be concerned that the first entity 111 has an infrastructure or device that may have been compromised, and may wish to validate the payment token with the TRL computer system 130 before proceeding with the transaction. In some cases, the second entity 121 may not intend to authorize the transaction until a later time, but may wish to verify that the transaction will likely be authorized by validating the payment token. Instead of immediately sending the payment token in an authorization request message to a payment processing network and/or issuer, the second entity 121 may compose and send a validation request message with their digital signature to TRL computer system 130.

The token validation request message, or TRL request 20 may comprise a requester name, hashed information, one or more payment tokens, and a nonce. The requester name may be the name of the entity that sent the request message. For example, the requester name may be the name of the second entity 121 or any other indication of the identity of the requester. The hashed information may include a hashing algorithm identifier (e.g. SHA-2 or SHA-3 identifier), a hash of the TRL computer system 130 name, a hash of the token issuer public key, and/or any other suitable information. The nonce may be a one-time value, such as a unique set of characters, to prevent replay attacks. Any subsequent message with a repeated nonce may be disregarded as fraudulent. The one or more payment tokens may be payment tokens provided by one or more entities such as the first entity 111.

At step 30, TRL computer system 130 may receive and read the signed token validation request message from the second entity 121 and may validate the payment token. The token validation request message may comprise at least one payment token or an identifier associated with the payment token. TRL computer system 130 may first assess the request message. In some embodiments, assessing the token validation request message may include validating the digital signature of the request message with a public key corresponding to the requester name included in the request message, and ensuring that the requester is authorized to validate the received token. If the request is invalid (e.g. the requester is unauthorized, request is badly formatted, not signed, has an incorrect signature, etc.), the TRL computer system 130 may not validate the token, and may instead send a response indicating that the request was not accepted.

If the request is valid, the TRL computer system 130 may accept the request message 20 and determine the status of the at least one token by searching the token revocation database for the status of the at least one token. Accordingly, the TRL computer system 130 may query the token database for a status associated with the received one or more tokens. TRL computer system 130 may look up the revocation status of the payment token in the token validation request message 20 received from the second entity device 120 in the token database in the TRL computer system 130. The TRL computer system 130 may determine that the token is, for example, valid (or active), on hold, or revoked. In some embodiments, a specific status code may be associated with the payment token. In some embodiments, the database of the TRL computer system 130 may be the only trusted location that is easily accessible to various parties where a compromise of the first entity's payment token would be recorded.

At step 40, TRL computer system 130 may generate and send a token validation response message, or TRL response 40, to the second entity device 120. The token validation response message 40 may comprise a response status, responder ID, timestamp, nonce, hashed information, one or more payment tokens, and one or more TRL status codes representing the status of the one or more payment tokens. For example, if TRL computer system 130 confirms that the payment token from the first entity 111 is valid, then it may return a status code “9”, which mean that the token is valid. Alternatively, if the token validation request message was not accepted, the token validation response message may not indicate the TRL status code, but may instead indicate that the request was not accepted.

The response status may indicate whether the token validation request message was accepted. For example, the request message may be rejected because it is sent by an unauthorized requester, it is a badly formatted request, it is not signed, or for any other suitable reason.

The responder ID may be a hash value of the TRL computer system 130 public key. Alternatively, the responder ID may be any other value that may indicate the identity of TRL computer system 130.

The timestamp may indicate the time when the response was prepared and signed by the TRL computer system 130. For example, the timestamp may be the final composed portion of the message, and may indicate the time of the moment just before the message was finished and sent, or any other suitable time.

The one or more TRL status codes may indicate the status of the one or more payment tokens. For example, the payment tokens may have a status of valid (or active), on hold, or revoked. A token may be irreversible revoked if, for example, the token issuer (e.g. issuing bank or merchant, etc.) improperly issued a token, or if their token generation algorithm or any mechanisms that identify the payment instrument component of the token have been compromised. An “on hold” token may be a reversible status to mark a temporary state of the payment token. For example, the token issuing bank or merchant may not be sure if any component of their token lifecycle has been compromised, or there may be suspected fraudulent use of a token that turns out to be a false positive.

The status code may be a code representing a specific token state, and other statuses besides valid, revoked and on hold may be used. For example, in some embodiments of the invention, the number “0” may indicate that the status is unspecified, “1” may indicate that the token is suspected of fraud, “2” may indicate that the issuer of the token has been compromised, “3” may indicate that the processor of the token has been compromised, “4” may indicate that the token is expired, “5” may indicate that the token is not eligible for the type or amount of the requested transaction, and “6” may indicate that the token is valid. Any other suitable set of status code numbers that may indicate any other suitable status may also be used.

At step 50, the second entity device 120 may receive and cryptographically verify (this could be using a private key belonging to the second entity 120) the token validation response message. For example, in some embodiments, second entity device 120 may verify a digital signature of response message 40 using a public key corresponding to the responder ID received in response message 40. The second entity device 120 may then proceed to accept the payment token if it is valid, and send a message to the first entity device 110 indicating that the payment token is accepted, and complete the transaction with the first entity 111 (as described above). The second entity 121 may release the goods and/or services purchased by the first entity 110. If the token validation response message indicates that the token is revoked or on hold, the second entity 120 may reject the token. The second entity 120 may then send a message to the first entity 110 indicating that the token was rejected and the transaction is denied, or that different payment information should be provided.

Embodiments of the invention have a number of advantages. For example, by providing a token revocation list at a central location, accessible to and used by a number of different token issuing entities, the statuses of tokens that are used in a payments ecosystem can be checked before proceeding with transactions. This provides for a convenient way for entities that issue payment tokens to communicate the statuses of their tokens to various users in the ecosystem that want to use or process payment tokens. In addition, some of the specific communication protocols disclosed herein provide for a secure and efficient way for token status requesters to safely inquire about the status of payment tokens, even if the communication network that is being used is not as secure as it should be. This not only protects the status of the tokens from eavesdroppers, but can prevent unauthorized parties from requesting the status of a token.

It is noted that other embodiments are also possible. For example, embodiments of the invention could be operated by an issuer, acquirer, or any other entity within a transaction processing system.

The various participants and elements in any of FIGS. 1-4 may operate one or more computer apparatuses (e.g., a server computer) to facilitate the functions described herein. Any of the elements in FIGS. 1-4 may use any suitable number of subsystems to facilitate the functions described herein. Examples of such subsystems or components are shown in FIG. 5. The subsystems such as a printer 208, keyboard 216, fixed disk 218 (or other memory comprising computer readable media), monitor 212, which is coupled to a display adapter 210, and others are shown. Peripherals and input/output (I/O) devices, which couple to I/O controller 202, can be connected to the computer system by any number of means known in the art, such as serial port 214. For example, serial port 214 or external interface 220 can be used to connect the computer apparatus to a wide area network such as the Internet, a mouse input device, or a scanner. The interconnection via system bus allows the central processor 206 to communicate with each subsystem and to control the execution of instructions from system memory 204 or the fixed disk 218, as well as the exchange of information between subsystems.

Specific details regarding some of the above-described aspects are provided below. The specific details of the specific aspects may be combined in any suitable manner without departing from the spirit and scope of embodiments of the invention.

Storage media and computer readable media for containing code, or portions of code, may include any appropriate media known or used in the art, including storage media and communication media, such as but not limited to volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, data signals, data transmissions, or any other medium which may be used to store or transmit the desired information and which may be accessed by the computer. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art may appreciate other ways and/or methods to implement the various embodiments.

It should be understood that the present invention as described above may be implemented in the form of control logic using computer software in a modular or integrated manner. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art may know and appreciate other ways and/or methods to implement the present invention using hardware and a combination of hardware and software

Any of the software components or functions described in this application, may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C++ or Perl using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions, or commands on a computer readable medium, such as a random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a CD-ROM. Any such computer readable medium may reside on or within a single computational apparatus, and may be present on or within different computational apparatuses within a system or network.

The above description is illustrative and is not restrictive. Many variations of the invention may become apparent to those skilled in the art upon review of the disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.

One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.

A recitation of “a”, “an” or “the” is intended to mean “one or more” unless specifically indicated to the contrary. 

What is claimed is:
 1. A method comprising: maintaining, by a token revocation list computer system, a status for each of a plurality of tokens issued by the server computer in a token revocation database; receiving, by the token revocation list computer system, a token validation request from a requester device, wherein the token validation request includes at least one payment token of the plurality of tokens; determining, by the token revocation list computer system, the status of the at least one payment token of the plurality of tokens by searching the token revocation database for the status of the at least one of the plurality of tokens; and sending, by a token revocation list computer system, a token validation response including the determined status of the at least one payment token of the plurality of tokens.
 2. The method of claim 1, wherein the at least one of the plurality of tokens was sent to the requester by a consumer or merchant.
 3. The method of claim 1, further comprising: determining, by the server computer, that the requester is registered with the token revocation list computer system for sending token validation requests.
 4. The method of claim 1 wherein the status is at least one of on hold, revoked, or active.
 5. The method of claim 1 wherein the token validation request comprises one or more of a requester name, hashed information, the at least one payment token, and a nonce.
 6. The method of claim 1 wherein the token validation response comprises one or more of token response status, a TRL computer system ID, a timestamp, a nonce, hashed information, the at least one payment token and a TRL computer system status code.
 7. The method of claim 1 therein the token validation response is sent to the requester device.
 8. The method of claim 1 wherein the token validation request and response are transmitted through a communications network that is insecure.
 9. The method of claim 1 wherein the at least one payment token is a single payment token that is a pseudo account number with the same format as a real account identifier associated with a payment account associated with a consumer.
 10. The method of claim 9 wherein the payment account is a credit card account.
 11. A token revocation list computer system comprising: a token status list database; and token status list computer comprising a processor, and a computer readable medium coupled to the processor, the computer readable medium comprising, code executable by the processor, to implement a method comprising maintaining a status for each of a plurality of tokens issued by the server computer in a token revocation database, receiving a token validation request from a requester, wherein the token validation request includes at least one payment token of the plurality of tokens, determining the status of the at least one of the plurality of tokens by searching the token revocation database for the status of the at least one payment token of the plurality of tokens, and sending a token validation response including the determined status of the at least one payment token of the plurality of tokens.
 12. The token revocation list computer system of claim 11 wherein the status is at least one of hold, revoked, or active.
 13. The token revocation list computer system of claim 11 wherein the token validation request comprises one or more of a requester name, hashed information, the at least one payment token, and a nonce.
 14. The token revocation list computer system of claim 11 wherein the token validation response comprises one or more of token response status, a TRL computer system ID, a timestamp, a nonce, hashed information, the at least one payment token and a TRL computer system status code.
 15. A token validation system comprising: a requester device; and a token revocation list computer system in communication with the requester device, the token revocation list computer system comprising (a) a token status list database, and (b) a token status list computer comprising a processor, and a computer readable medium coupled to the processor, the computer readable medium comprising, code executable by the processor, to implement a method comprising (i) maintaining a status for each of a plurality of tokens issued by the server computer in a token revocation database, (ii) receiving a token validation request from a requester, wherein the token validation request includes at least one payment token of the plurality of tokens, (iii) determining the status of the at least one of the plurality of tokens by searching the token revocation database for the status of the at least one payment token of the plurality of tokens, and (iv) sending a token validation response including the determined status of the at least one payment token of the plurality of tokens.
 16. The token validation system of claim 15 further comprising: a token provider system in communication with the token list computer system.
 17. The token validation system of claim 15 wherein the token validation request comprises a requester name, hashed information, the at least one payment token, and a nonce.
 18. The token validation system of claim 17 wherein the token validation response comprises a token response status, a TRL computer system ID, a timestamp, a nonce, hashed information, the at least one payment token and a TRL computer system status code. 